fix(security): restrict SPM plugin network scope to .all(ports: [])

sunny-se · claude · sunny-se · commit 54872ace1edf · 2026-05-26T14:28:35.000+05:30
F-012 / DEVA11Y-481 — The plugin declared unrestricted .all() network
scope (CWE-250) which amplifies blast radius of other findings.
Switch to .all(ports: []) matching what shell scripts already enforce.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Package.swift b/Package.swift
@@ -19,8 +19,7 @@ let package = Package(
                 ),
                 permissions: [
                     .allowNetworkConnections(
-                        // scope: .all(ports: []),
-                        scope: .all(),
+                        scope: .all(ports: []),
                         reason: "Please allow network connection permission to authenticate and run accessibility rules."
                     ),
                     .writeToPackageDirectory(reason: "Please allow writing to package directory for logging.")
